Content area
Full text
OCR is selecting a sample of covered entities, which includes hospitals and other medical service providers, to perform desk audits. OCR has started contacting 500-800 covered entities in preparation to survey these entities this summer. From that 500-800 entity survey group, OCR is going to select 350 covered entities on which to perform desk audits. Some hospitals will be included. The HIPAA desk audits start in October 2014, and they will run until June 2015.
The hospitals won’t receive notice that they are getting a desk audit until late summer or early fall of this year. The desk audits represent phase two of OCR’s HIPAA audit program, notes Melissa Goldman, JD, an attorney with the Florida Health Law Center in Davie. Phase one, which began in 2012, involved full on-site audits for covered entities conducted by the outside accounting firm KPMG, but the desk audits will be much narrower, more targeted, and conducted by OCR, Goldman says. OCR also will audit some business associates of each provider audited, she says.
So how will the desk audits be conducted? The term "desk audit" is intended to convey that the audit will not be an on-site visit, but rather providers should be able to respond to the audits from their desks by providing policies and documentation of privacy policies and procedures, explains Patricia Wagner, JD, an attorney with the law firm of Epstein Becker Green in Washington, DC. For organizations that are well-organized, the response process should be relatively pain-free, she says. Rather than an on-site visit during which the auditors would interview employees about HIPAA compliance, the desk audit is strictly a look at documentation. That difference means that you won’t...